Using LDAP for auth against LINUX

[Uwe Lienig <uwe.lienig%fif.mw.htw-dresden.de@localhost>]

Hello all and a happy new year,

I'm in the process of changing our infrastructure from NIS to LDAP. In the past
NIS was hosted on a AlphaServer 1200 with Tru64UNIX that acted as an file
server. Since the storage is going to be exhausted and buying more hard disks
was not an option it was planned to buy a new server with plenty of storage.

The new server has arrived and got SuSE Linux Enterprise Server 10 installed
(there was no option to choose an other OS :-( . It will serve Windows Clients
(NT, W2k, XP, ..) via Samba and Unix-Systems (Tru64, NetBSD, Linux, ..) via NFS.
Samba is configured as a PDC. Users are kept in LDAP so that password
syncronisation can easily be achieved. This setup works as expected.

Now, I have to adapt all the other systems to the new infrastructure. The most
urgend task is to switch the mail server to the new setup. The mail server is a
AlphaStation 255/300 with NetBSD-3.0.

$ > uname -a
NetBSD host 3.0 NetBSD 3.0 (GENERIC) #0

Since the change is in progress this server uses the old NIS databases to auth
users. But in the near future I have to switch to LDAP. The old NIS databases
are to be switched off.

So I installed the missing bits for LDAP, namely

  /usr/pkgsrc/security/pam-ldap/
  /usr/pkgsrc/databases/nss_ldap/
  /usr/pkgsrc/databases/openldap-client/

LDAP was configured with

  /usr/pkg/etc/openldap/ldap.conf

The entries i added are
  BASE       dc=some,dc=domain,dc=org
  URI        ldap://ldap.server
  TLS_CACERT /path/to/cert.pem

Using ldapsearch I can perfectly query the LDAP database and get the user 
entries.

After verify the LDAP setup working ok I went ahead with configuring NSS and
PAM. This is where I'm now and stuck, since I can't get that to work as 
expected.

In order not to break the current setup I left NIS as is (there shouldn't be any
problem using both NIS and LDAP, however). The pam_ldap.so was linked from
/usr/pkg/lib/security to /usr/lib/security. To get the configuration working I
used the HowTo from http://wiki.netbsd.se/OpenLDAP_Authentication_on_NetBSD
nsswitch.conf got the ldap entries added

group:          files nis ldap
passwd:         files nis ldap

and /etc/pam.d/system was populated with ldap entries

auth      sufficient  pam_ldap.so
auth      sufficient  pam_krb5.so     no_warn try_first_pass
auth      required    pam_unix.so     no_warn try_first_pass nullok
account   sufficient  pam_ldap.so
account   required    pam_krb5.so
account   required    pam_unix.so
session   sufficient  pam_ldap.so
session   required    pam_lastlog.so  no_fail no_nested
password  sufficient  pam_ldap.so
password  sufficient  pam_krb5.so     no_warn try_first_pass
password  required    pam_unix.so     no_warn try_first_pass

I created /usr/pkg/etc/nss_ldap.conf and sym linked pam_ldap.conf to this file.

I do have a user entry in LDAP that does not exist in NIS. But whatever I try I
can't get getent(1) to produce output for this user (although NIS works ok for
other users).

Up to now I haven't made any step further.

What am I missing? Please feel free to ask for config data I have not provided
in this mail. I think LDAP isn't the problem since ldapsearch produces correct
output, though.

Any hints are very much appreciated.

TIA

-- 


Uwe Lienig
----------
fon: (+49 351) 462 2780
fax: (+49 351) 462 3476
mailto:uwe.lienig%fif.mw.htw-dresden.de@localhost

Forschungsinstitut Fahrzeugtechnik
<http://www.fif.mw.htw-dresden.de>
parcels: Gutzkowstr. 22, 01069 Dresden
letters: PF 12 07 01,    01008 Dresden

Hochschule für Technik und Wirtschaft Dresden (FH)
Friedrich-List-Platz 1, 01069 Dresden